package com.sxj.corejava.code02_jdbc;

import com.sxj.corejava.entity.User;

import java.sql.*;
import java.util.ArrayList;
import java.util.List;

/**
 * @author 石小俊
 * @date 2023年11月2023/11/30日 18:03
 */
public class Test02_SQL注入 {

    public static void main(String[] args) {
//        List<User> users = selectByUsernameAndPassword("admin","123456");
//        List<User> users = selectByUsernameAndPassword("aaa","123456");
//        List<User> users = selectByUsernameAndPassword("aaa' or '1' = '1","aaa' or '1' = '1");
//        if(users.isEmpty()){
//            System.out.println("用户名或密码错误");
//        } else{
//            System.out.println("登录成功,登录的用户如下:");
//            for(User user : users){
//                System.out.println(user);
//            }
//        }
//        List<User> users = selectByUsernameAndPassword2("admin","123456");
//        List<User> users = selectByUsernameAndPassword2("aaa","123456");
        List<User> users = selectByUsernameAndPassword2("aaa' or '1' = '1","aaa' or '1' = '1");
        if(users.isEmpty()){
            System.out.println("用户名或密码错误");
        } else{
            System.out.println("登录成功,登录的用户如下:");
            for(User user : users){
                System.out.println(user);
            }
        }
    }

    public static List<User> selectByUsernameAndPassword(String username, String password) {
        Connection conn = null;
        Statement st = null;
        ResultSet rs = null;
        List<User> users = new ArrayList<>();
        try {
            Class.forName("com.mysql.jdbc.Driver");
            conn = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/jdbc?useUnicode=true&characterEncoding=utf-8", "root", "");
            st = conn.createStatement();
            String sql = "select id,username,password,phone,address from t_user where username = '" + username + "' and password = '" + password + "'";
            rs = st.executeQuery(sql);
            while (rs.next()) {
                User user = new User();
                user.setId(rs.getInt("id"));
                user.setUsername(rs.getString("username"));
                user.setPassword(rs.getString("password"));
                user.setPhone(rs.getString("phone"));
                user.setAddress(rs.getString("address"));
                users.add(user);
            }

        } catch (ClassNotFoundException e) {
            e.printStackTrace();
            System.out.println("未找到驱动");
        } catch (SQLException e) {
            e.printStackTrace();
            System.out.println("连接数据库失败");
        } finally {
            // 6.释放资源
            if (conn != null) {
                try {
                    conn.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                    System.out.println("释放连接出错");
                }
            }
            if (st != null) {
                try {
                    st.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }
            if (rs != null) {
                try {
                    rs.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }
        }
        return users;
    }

    public static List<User> selectByUsernameAndPassword2(String username,String password){
        Connection conn = null;
        PreparedStatement ps = null;
        ResultSet rs = null;
        List<User> users = new ArrayList<>();
        try {
            Class.forName("com.mysql.jdbc.Driver");
            conn = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/jdbc?useUnicode=true&characterEncoding=utf-8","root","");

//            String sql = "select id,username,password,phone,address from t_user where username = ? and password = ?";
            String sql = new StringBuffer()
                    .append(" select id,username,password,phone,address ")
                    .append(" from t_user ")
                    .append(" where username = ? ")
                    .append(" and password = ? ")
                    .toString();
            // 在获取状态集的时候已经传递了sql
            // 此时会自动对sql做预编译
            ps = conn.prepareStatement(sql);
            // 在获取到状态集之后,根据sql语句中?的数量对这些?所表示的参数赋值
            // Xxx表示参数的类型
            // index表示第几个?
            // value表示具体的值
            // ps.setXxx(index,value);
            ps.setString(1,username);
            ps.setString(2,password);
            rs = ps.executeQuery();
            while (rs.next()) {
                User user = new User();
                user.setId(rs.getInt("id"));
                user.setUsername(rs.getString("username"));
                user.setPassword(rs.getString("password"));
                user.setPhone(rs.getString("phone"));
                user.setAddress(rs.getString("address"));
                users.add(user);
            }
        }  catch (ClassNotFoundException e) {
            e.printStackTrace();
            System.out.println("未找到驱动");
        } catch (SQLException e) {
            e.printStackTrace();
            System.out.println("连接数据库失败");
        } finally {
            // 6.释放资源
            if (conn != null) {
                try {
                    conn.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                    System.out.println("释放连接出错");
                }
            }
            if (ps != null) {
                try {
                    ps.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }
            if (rs != null) {
                try {
                    rs.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }
        }
        return users;
    }
}
